Vulnerability CVE-2013-3661
Published: 2013-05-24   Modified: 2013-05-25

Description:
The EPATHOBJ::bFlatten function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not check whether linked-list traversal is continually accessing the same list member, which allows local users to cause a denial of service (infinite traversal) via vectors that trigger a crafted PATHRECORD chain.

See advisories in our WLB2 database:
Topic
Author
Date
High
Microsoft win32k EPATHOBJ pprFlattenRec missing initialise the pointer
Tavis Ormandy
18.05.2013
High
Windows 8 to NT EPATHOBJ Local Ring 0 Exploit
Tavis Ormandy
03.06.2013
High
Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation Metasploit
Juan vazquez
02.07.2013

Type:

CWE-22

 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVSS2 => (AV:L/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.9/10
6.9/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete
Affected software
Microsoft -> Windows 7 
Microsoft -> Windows 8 
Microsoft -> Windows rt 
Microsoft -> Windows server 2003 
Microsoft -> Windows server 2008 
Microsoft -> Windows server 2012 
Microsoft -> Windows vista 
Microsoft -> Windows xp 

 References:
http://www.theverge.com/2013/5/23/4358400/google-engineer-bashes-microsoft-discloses-windows-flaw
http://www.reddit.com/r/netsec/comments/1eqh66/0day_windows_kernel_epathobj_vulnerability/
http://www.osvdb.org/93539
http://www.exploit-db.com/exploits/25611/
http://www.computerworld.com/s/article/9239477
http://twitter.com/taviso/statuses/335557286657400832
http://secunia.com/advisories/53435
http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0094.html
Copyright 2024, cxsecurity.com

 

Back to Top